'how to prevent xss attack on angular applications

I have this script in my response <img src=x onerror="alert('attack')" and in my .ts file i'm doing this document.getElementById("help").innerHTML=this.help; and it is executing in frontend and giving alert .. suggest how to stop this using content-security-policy as but no use.. any suggestions? please help

angularxsscontent-security-policy


Solution 1:[1]

For the onerror event attribute you'll need to rewrite using an event listener instead, preferably in a separate js file and not inline.

If it is unformatted text you aim to insert with innerHTML you should use textContent method instead as it is XSS safe. Another option is also to use DOMPurify to make it XSS safe.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Halvor Sakshaug

Related Questions

Loading indication with a delay and anti-flickering in RxJS

Loading indication with a delay and anti-flickering in RxJS

Loading indication with a delay and anti-flickering in RxJS

Loading indication with a delay and anti-flickering in RxJS

Dynamically add meta tags to index.html for shared link previews

Dynamically add meta tags to index.html for shared link previews

Dynamically add meta tags to index.html for shared link previews

Dynamically add meta tags to index.html for shared link previews

Angular MomentDateTimeAdapter not building after angular 8 update

advanced-http: "data" option is configured to support only following data types: object

How to mock browser requests based on har files?

Selecting options from Mat-select using cypress

Angular Material mat-select - Showing count number along with the first selected value in multiple selection

I can't access page using http-server

How to add event Listeners in Angular?